Johnson Controls Sensormatic Tyco AI
Act Now7.8ICS-CERT ICSA-21-133-02May 13, 2021
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Tyco AI running openSUSE Linux contains a local privilege escalation vulnerability (CWE-193) that allows a user with local access to gain super-user/root permissions on the system. All versions up to and including v1.2 are affected. An attacker must already have user-level access on the device to exploit this flaw. Johnson Controls has released Tyco AI v1.3 with the required Linux operating system updates to correct this issue.
What this means
What could happen
An attacker with local access to a Tyco AI system could gain administrative control over the underlying Linux operating system, potentially allowing them to manipulate building automation logic, disable safety features, or disrupt facility operations.
Who's at risk
Building automation and facility management operators using Tyco AI for HVAC, access control, or other building systems should prioritize patching. This affects all versions up to 1.2 of the Tyco AI platform.
How it could be exploited
An attacker with local or physical access to the Tyco AI device could exploit a privilege escalation weakness in the Linux kernel to run commands with root privileges. This requires the attacker to already have a user account or shell access on the system.
Prerequisites
- Local or physical access to the Tyco AI device
- Existing user account or shell access on the system
- Ability to execute commands on the Linux operating system
actively exploited (KEV)high EPSS score (92.5%)affects building automation systemslocal privilege escalation to rootpatch available but requires coordination
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (1)
ProductAffected VersionsFix Status
Tyco AI: All≤ v1.2v1.3
Remediation & Mitigation
0/3
Do now
0/3HOTFIXUpdate Tyco AI to version 1.3 or later as soon as a maintenance window permits
HARDENINGRestrict physical and local access to Tyco AI systems using locked enclosures, badge access, or equipment room controls
HARDENINGReview and restrict user accounts on Tyco AI systems; remove or disable unnecessary accounts
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/ceb40e80-d348-47e9-ad6c-523de9fda795